[clamav-users] Is the signature "Win.Tool.Hoax-9939325-0" really problematic ?

[G.W. Haywood]

Hi there,

On Mon, 11 Apr 2022, alex via clamav-users wrote:

> Recently, ClamAV sent us the following alert "Win.Tool.Hoax-9939325-0"
> on one of our executables.  This software was developed by our teams and
> has not been modified since 2014. And suddenly, an alert is lifted...

On a point of order, in English we would say "an alert is raised".
It's clear that you aren't a native English speaker so I understand
that the distinction may be a little confusing to you, but I assure
you that it's no more confusing to you than "lifted" was to me when
first I read it. :)

> After some research in the ClamAV VirusDB announcements, I found
> that this signature was added on February 18, 2022 ...

This begs the question "Why was this almost two months ago?"

> We investigated on our side and saw that the alert was lifted because of 5 subsignatures :
>
>  *   OnClientToHostWindowX
>  *   OnDownloadComplete(
>  *   OnFrameNavigateComplete4
>  *   OnDownloadBegin4
>  *   OnStatusBar
>
> These functions come from a Borland library. ...

Is the library still supported, e.g. with security fixes?

> Does ... "Win.Tool.Hoax-9939325-0" detect something really
> problematic that can compromise our system via our executable?

I doubt it, but I'd imagine you should wait for feedback from the
signature team.  They're very busy so it might take a while.  Other
readers of this list might have some observations.

> Is there a way to bypass the lifting of this signature, without
> completely ignoring it, if it ultimately proves useful against other
> files?

Not directly in ClamAV, but you could either

(1) ensure that whatever feeds files/directories/data to the scanner
ignores your binary (see docs); or

(2) whitelist the signature as a false positive (see docs) and then,
optionally, create your own signature which is based on this one but
which specifically avoids flagging your binary.

-- 

73,
Ged.